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Abstract. We consider the setting of component-based design for real- 
time systems with critical timing constraints. Based on our earlier work, 
we propose a compositional specification theory for timed automata with 
I/O distinction, which supports substitutive refinement. Our theory pro- 
vides the operations of parallel composition for composing components at 
run-time, logical conjunction/disjunction for independent development, 
and quotient for incremental synthesis. The key novelty of our timed 
theory lies in a weakest congruence preserving safety as well as bounded 
liveness properties. We show that the congruence can be characterised by 
two linear-time semantics, timed-traces and timed- strategies, the latter of 
which is derived from a game-based interpretation of timed interaction. 

1 Introduction 

Component-based design methodologies can be encapsulated in the form of com- 
positional specification theories, which allow the mixing of specifications and 
implementations, admit substitutive refinement to facilitate reuse, and provide 
a rich collection of operators. Previously [I], we developed a linear-time specifi- 
cation theory for reasoning about untimed components that interact by synchro- 
nisation of input and output (I/O) actions, inspired by interface automata [3J- 
Models can be specified operationally by means of transition systems augmented 
by an inconsistency predicate on states, or declaratively using traces. The the- 
ory admits non-determinism, a refinement preorder based on traces, and the 
operations of parallel composition, conjunction and quotient. The refinement 
is strictly weaker than alternating simulation and is actually the weakest pre- 
congruence preserving inconsistent states. This implies that our refinement is 
substitutive, meaning component A refines component B iff A can replace B in 
any environmental context without introducing additional errors. 

In this paper we target component-based development for real-time systems 
with critical timing constraints. We formulate a timed extension of the linear- 
time specification theory of [T|, by allowing for both operational descriptions 
of components, as well as declarative specifications based on traces. Our oper- 
ational models are based on a variant of timed automata with I/O distinction 
(although we do not insist on input-enabledness, cf [3]), augmented by two spe- 
cial states: _L for safety and bounded-liveness errors, and T for timestop. Trace- 
based declarative specifications are shown to be a suitable semantic domain for 
the operational models. In addition to timed-trace semantics, we present timed- 
strategy semantics, which coincides with the former but relates our work closer 
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to the timed-game frameworks used by [4] and [5] . The substitutive refinement of 
our framework gives rise to the weakest congruence preserving _L, and is shown 
to coincide across all our formalisms. 

Amongst notable works in the literature, we briefly mention a theory of timed 
interfaces [5] and a theory of timed specifications [3]. Timed interface theory 
contributes a framework based on timed games to formalise notions such as 
interfaces and compatibility, and also provides a parallel composition operator. 
However, the work cannot be considered a specification theory as it does not 
deal with the notion of refinement for component substitution or the operations 
of conjunction, disjunction and quotient. In this respect, j4] provides a complete 
theory; however, the refinement is a timed version of the alternating simulation 
originally defined for interface automata |2 1. Consequently, it is too strong for 
determining when a component can be safely substituted with another (cf the 
example in Figure |3j. 

Outline. In Section[2]we introduce timed I/O automata, their semantic mapping 
to timed I/O transition systems, and supply the operational definitions for the 
operations of parallel composition, conjunction, disjunction and quotient. In Sec- 
tion [3] we use the timed-game framework to introduce timed-strategy semantics, 
which we relate to the operational framework. Similarly in Section |4j we present 
timed-trace semantics and relate these to the operational definitions. Section [5] 
discusses related work, and finally Section [6] concludes. 

2 Formal Framework 

In this section we introduce timed I/O automata, timed I/O transition systems 
and a semantic mapping from the former to the latter. Timed I/O automata 
are compact representations of timed I/O transition systems. Our theory will be 
developed using timed I/O transition systems, which are endowed with a richer 
repertoire of semantic machinery. 

2.1 Timed I/O Automata 

Clock constraints. Given a set X of real- valued clock variables, a clock constraint 
over X , cc : CC(X), is a boolean combination of atomic constraints of the form 
x IX d and x — y t< d where x,y € X, CX€ {<, <, =, >, >}, and deN. 

A clock valuation over X is a map t that assigns to each clock variable x in 
X a real value from R-°. We say t satisfies cc, written t 6 cc, if cc evaluates to 
true under valuation t. t + d denotes the valuation derived from t by increasing 
the assigned value on each clock variable by d g R-° time units. t[rs M> 0] 
denotes the valuation obtained from t by resetting the clock variables in rs to 
0. Sometimes we use for the clock valuation that maps all clock variables to 0. 

Definition 1. A timed I/O automaton (TIOA) is a tuple (C,I, 0,L,l°,AT, 
Inv, colnv), where: 
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— C C X is a finite set of clock variables 

— A (— I U 0) is a finite alphabet, where I and O are disjoint sets of input 
actions and output actions respectively 

— L is a finite set of locations 

— I G L is the initial location 

— AT C L x CC(C) x A x 2 C x L is a set of action transitions 

— Inv : L — > CC{C) and colnv : L — > CC(C') assign invariants and co- 
invariants to states, each of which is a downward-closed clock constraint. 

We use I, I' , li to range over L and use I g ' a ' rs > I' as a shorthand for (I, g, a, rs, 
I') e AT. g : CC(C) is the enabling guard of the transition, a € A the action, 
and rs the subset of clock variables to be reset. 

Our TIOAs are similar to existing variants of timed automata with in- 
put/output distinction, except for the introduction of co- invariants and non- 
insistence on input-enabledness. While invariants specify the bounds beyond 
which time may not progress, co-invariants specify the bounds beyond which the 
system will time-out and enter error states. Our TIOAs can be used to describe 
both the assumptions made by the component on the inputs, together with the 
guarantees provided by the component on the outputs. Such assumptions and 
guarantees can be time constrained: guards on output transitions express safety 
timing guarantees, while guards on input transitions express safety timing as- 
sumptions; invariants (urgency) express liveness timing guarantees on outputs 
while co-invariants (time-out) express liveness timing assumptions on inputs. 

When components interact together, we check whether the guarantees they 
provide meet the assumptions they make on each other. If not, there are two 
types of errors: 

— An input arrives in a state and at a time when it is not expected (i.e. not 
satisfying the guards on the input transitions). This is a safety error. 

— An input does not arrive in a state within a time bound (specified by a 
co-invariant) as expected. This is a bounded-liveness error. 

Example. Figure [T] depicts TIOAs representing a job scheduler together with a 
printer controller. The invariant at location A of the scheduler forces a bounded- 
liveness guarantee on outputs in that location. As time must be allowed to 
progress beyond t = 100, the start action must be fired within the range < t < 
100. After start has been fired, the clock x is reset to and the scheduler waits 
(possibly indefinitely) for the job to finish, li the job docs finish, the scheduler is 
only willing for this to take place between 5 < t < 8 after the job started (safety 
assumption), otherwise an unexpected input error will be thrown. 

The controller waits for the job to start, after which it will wait exactly 1 
time unit before issuing print (forced by the invariant y < 1 on state 2 and 
the guard y = 1). The controller now requires the printer to indicate the job is 
printed within 10 time units of being sent to the printer, otherwise a time-out 
error on inputs will occur (co- invariant y < 10 in state 3 as liveness assumption). 
After the job has finished printing, the controller must indicate to the scheduler 
that the job has finished within 5 time units. 
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Scheduler 



Printer_cont roller 




finish? 5 <= x <= 8 



start? y:=0 



Inv: y<=1 
Co: true 



Inv: x <= 100 
Co: true 



finish! 

y<=5 



y— 1 
print! 



Inv: y<=5 
Co: true 



printed? y:=0 



Inv: true 
Co: y<=10 



Fig. 1. Job scheduler and printer controller. 



2.2 Timed Actions and Words 

In this section we introduce some notation relating to timed actions and timed 
words that will be of use to us in later sections. 

Timed actions. For a set of input actions I and a set of output actions O, define 
tA = I ttl O ttl R >0 to be the set of timed actions, tl = I ttl K >0 to be the set of 
timed inputs, and tO = O ttl R >0 to be the set of timed outputs. We use symbols 
like a, (3, etc. to range over tA. 

Timed words. A timed word (ranged over by w,w',Wi etc.) is a finite mixed 
sequence of positive real numbers (IR >0 ) and visible actions such that no two 
numbers are adjacent to one another. For instance, (0.33, a, 1.41, b, c, 3.1415) is 
a timed word denoting the observation that action a occurs at 0.33 time units, 
then another 1.41 time units lapse before the simultaneous occurrence of b and 
c, which is followed by 3.1415 time units of no event occurrence. The empty 
word is denoted by e. 

Operations on timed words. We use last(w) to denote the last element in the 
sequence w, and l(w) to indicate the length, which is obtained as the sum of all 
the reals in w. Concatenation of timed words w and w 1 is obtained by appending 
w' onto the end of w and coalescing adjacent reals (summing them). For instance, 
(a, 1.41) ^(0.33,6,3.1415) = (a, (1.41 + 0.33), b, 3.1415) = (a, 1.74, b, 3.1415). 
Prefix/extension arc defined as usual by concatenation, and we use < for the 
prefix partial order. We write w \ tA for the projection of w onto timed alphabet 
tA , which is defined by removing from w all actions not inside tA and coalescing 
adjacent reals. 

2.3 Semantics as Timed I/O Transition Systems 

The semantics of TIOAs are given as timed I/O transition systems, which are a 
special class of infinite labelled transition systems. 

Definition 2. A timed I/O transition system (TIOTS) is a tuple V = (I, O, S, 
s ,— >), where: I and are the input and output actions respectively, S is a set 
of states, s° is the designated initial state, and S x I ttl O ttl 1R >0 x S is the 
action and time-labelled transition system. 
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The states of the TIOTS for a TIOA capture the configurations of the au- 
tomaton, i.e. its location and clock valuation. Therefore, each state of the TIOTS 
is a pair drawn from L x K , which we refer to as the set of plain states, denoted 
P. In addition, we introduce two special states _L and T, which are required for 
the semantic mapping of disabled inputs/outputs, invariants and co-invariants. 

_L is called the inconsistent state, representing safety and bounded-liveness 
errors. T is the so-called timestop state, representing the magic moment from 
which no error can occurQ 

An intuitive way to understand T and _L is from an input/output game 
perspective. The component controls output and delay while the environment 
controls input. _L is the losing state for the environment. So a disabled input at a 
state p is equated to an input transition from p to _L. T is the losing state for the 
component. So a disabled output /delay at p is equated to an output/delay tran- 
sition from p to T. Thus we can have two semantics-preserving transformations 
on TIOTSs. 

The _L- completion of a TIOTS V, denoted V ± , adds an a-labelled transi- 
tion from p to _L for every p G P-p and a £ I s.t. a is not enabled at p. _L- 
completion will make a TIOTS input-receptive, i.e. input-enabled at all states. 
The T -completion of a TIOTS V , denoted V T , adds an a-labelled transition 
from p to T for every p € P-p and a € tO s.t. a is not enabled at p. 

Furthermore, for technical convenience (e.g. ease of defining time additivity), 
the definition of TIOTSs requires that 1) T is a quiescent state, i.e. a state in 
which the set of outgoing transitions are all self-loops, one for each d £ K >0 , 
and 2) _L is a chaotic state, i.e. a state in which the set of outgoing transitions 
are all self- loops, one for each a £ tA. The set of all possible states is denoted 
S = P W {_L, T}. We use p,p' ,pi to range over P while s, s' , Si range over S. 

The transition relation — > of the TIOTS is derived from the execution se- 
mantics of the TIOA. 

Definition 3. Let V be a TIOA. The semantic mapping of V is a TIOTS 
(I, 0,S,s ,^), where: 

— S = (LxR c )\±){±,T} 

— s° = T providing ^ Inv(l°), s° = _L providing £ Inv(l°) A ^colnv(l ) 
and s° = (1°, 0) providing £ Inv(l°) A coInv(l ), 

— — > is the smallest relation satisfying: 

1. If I -^^> V, t' = t[rs i ^ 0] , t£ Inv(l) A colnv(l) A g, then: 

(a) plain action: (I, t) — > (I', t 1 ) providing t 1 £ Inv(l') A colnv(l') 

(b) error action: (I, t) — >■ _L providing t' £ Inv(l') A ^colnv(l') 

(c) magic action: (l,t) A- T providing t' £ -^lnv(l'). 

1 For instance, a location with true as co-invariant and false as invariant is mapped 
to T, while a location with true as invariant and false as co-invariant is mapped to 
_L. A location with false for both invariant and co-invariant is mapped to T since 
invariants have priority over co-invariants according to our semantics; whereas a 
location with x < as invariant and true as co-invariant is mapped to a plain state. 
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2. plain delay: (I, t) — >■ (l,t + d) if t,t + d £ Inv(l) A colnv(l) 

3. time-out delay: (I, t) A _L if t G Inv(l) A colnv(l), t + d ^ colnv(l) and 
30 <S < d : t + S e Inv(l) A -^colnv(l). 

Note that our semantics tries to minimise the use of transitions leading to 
T/_L states. Thus there are no delay transitions leading to T. This creates im- 
plicit timestops, which we capture using the concept of semi-timestop (i.e. semi- 
T). We say a plain state p is a semi-T iff f) all output transitions enabled in 
p or any of its time-passing successors lead to the T state, and 2) there exists 

d e M >0 s.t. p T or d is not enabled in p. Thus a semi-T is a state in which 
it is impossible for the component to avoid the timestop without suitable inputs 
from the environment. 

TIOTS terminology. A TIOTS is time additive providing p dl+d2 -> s ' iff p s 

and s — > s' for some s. In the sequel of this paper we only consider TIOTSs 
that are time-additive. 

We say a TIOTS is deterministic iff there is no ambiguous transition in the 
TIOTS, i.e. sAs'AsA s" implies s' = s" . 

Given a TIOTS V, a timed word can be derived from a finite execution of 
V by extracting the labels in each transition and coalescing adjacent reals. The 
timed words derived from such executions are called traces of "P. We use tt, tt' , tti 
to range over the set of traces and use s° =i s to denote a finite execution that 
produces trace tt and leads to s. 

2.4 Operational Specification Theory 

In this section we develop a compositional specification theory for TIOTSs based 
on the operations of parallel composition ||, conjunction A, disjunction V and 
quotient %. The operators arc defined via transition rules that are a variant on 
synchronised product. 

Parallel composition yields a TIOTS that represents the combined effect 
of its operands interacting with one another. The remaining operations must 
be explained with respect to a refinement relation, which corresponds to safe- 
substitutivity in our theory. A TIOTS is a refinement of another if it will work 
in any environment that the original worked in without introducing safety or 
bounded-liveness errors. Conjunction yields the coarsest TIOTS that is a refine- 
ment of its operands, while disjunction yields the finest TIOTS that is refined 
by both of its operands. The operators are thus equivalent to the join and meet 
operations on TIOTSfj^j Quotient is the adjoint of parallel composition, meaning 
that 7'o%7 , i is the coarsest TIOTS such that {V %Vi)\\Vi is a refinement of T . 

Let Vi = (Ii, Oi,Si,sf,^-i) for i e {0,1} be two TIOTSs that are both _L 
and T-completed, satisfying (wlog) 5o n Si — {_L,T}. The composition of Vq 

2 As we write A C B to mean A is refined by B, our operators A and V are reversed 
in comparison to the standard symbols for meet and join. 
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Table 1. State representations under composition operators. 
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and V\ under the operation ® 6 {||, A, V, %}, written Vo ® Vi, is only defined 
when certain composability restrictions are imposed on the alphabets of the 
TIOTSs. Vo || V\ is only defined when the output sets of Vq and V\ are disjoint, 
because an output should be controlled by at most one component. Conjunction 
and disjunction are defined only when the TIOTSs have identical alphabets (i.e. 
Oq = 0\ and Iq = I x ). This restriction can be relaxed at the expense of more 
cumbersome notation, which is why we focus on the simpler case in this paper. 
For the quotient, we require that the alphabet of Vq dominates that of V\ (i.e. 
A\ C Aq and 0\ C Oo), in addition to V\ being a deterministic TIOTS. As 
quotient is a synthesis operator, it is difficult to give a definition using just state- 
local transition rules, since quotient needs global information of the transition 
systems. This is why we insist on V\ being deterministic^) 

Definition 4. Let Vo and Vi be TIOTSs composable under® € {||, A, V, %}. 
Then V ®V X = (I, 0, S, s°, ->) is the TIOTS where: 



-If® =\\, then I={I Q U h) \0 and O = O U O x 

- If® G {A, V}, then I = I = h and = Q = Oi 
-If® = %, then I = J U O x and O = \ Oi 

- S = Pq x P x W P W Pi W {T, _L} 

- s° = s$®s¥ 

- — > is the smallest relation containing — >q U — >i, and satisfying the rules: 

Po~^q5q Pi - hs{ Po~^qSq a£A x p x — > s[ ajAp 
Po®Pi^s' ®s[ Po®P\— >s Q ®p x Po®Pi^Po®s' 1 



We adopt the notation of So ® s x for states, where the associated interpretation 
is supplied in Table [7J Furthermore, given two plain states pi = (k,ti) for i £ 
{0, 1}, we define p Q x p x = ((/ , h), h l±l h). 

Table [l] tells us how states should be combined under the composition op- 
erators. From the environment's point of view, T refines plain states, which in 
turn refines _L. For parallel, a state is magic if one component state is magic, 
and a state is error if one component is error while the other is not magic. For 
conjunction, encountering error in one component implies the component can be 
discarded and the rest of the composition behaves like the other component. The 
conjunction table follows the intuition of the join operation on the refinement 

3 Technically speaking, the problem lies in that state quotient operator is right- 
distributive but not left-distributive over state disjunction (cf Table 111. 
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preorder. Similarly for disjunction. Quotient is the adjoint of parallel composi- 
tion. If the second component state does not refine the first, the quotient will 
try to rescue the refinement by producing T (so that its composition with the 
second will refine the first). If the second component state does refine the first, 
the quotient will produce the least refined value so that its composition with the 
second will not break the refinement. 

An environment for a TIOTS V is any TIOTS Q such that the alphabet of Q 
is complementary to that of V, meaning I-p — Oq and O-p — Iq. Refinement in 
our framework corresponds to contextual substitutability, in which the context 
is an arbitrary environment. 

Definition 5. Let Vi mp and V spec be TIOTSs with identical alphabets. Vi mp 
refines V spec , denoted V spec C Vi mp , iff for all environments Q, V spec || Q is 
.L-free implies Vi, np \\ Q is -L-free. We say Vi mp and V S p ec are substitutively 

equivalent, I.e. l^s P ec — 7^im P > iff'Pi'mp E Pspee and l~^s P ec E Pimp- 

It is obvious that ~ induces an equivalance on TIOTSs and no equivalence 
that preserves the _L state can be weaker than ~. In the sequel we will give two 
concrete characterisations of ~ and show that ~ is also a congruence w.r.t. the 
parallel composition, conjunction, disjunction and quotient operators. 

The operational definition of quotient requires that V\ is determinised, which 
can be accomplished by a modified subset construction procedure on (V^~) T . If 
the current state subset So contains _L, it reduces So to _L; if _L ^ So 7^ {T}, it 
reduces So by removing any potential T in So- As expected, the determinisation 
of V, denoted V D , is substitutively equivalent to V . 

Proposition 1. Any TIOTS is substitutively equivalent to a deterministic TIOTS. 

Equipped with determinisation, quotient is a fully defined operator on any 
pair of TIOTSs. Furthermore, we can give an alternative (although substitutively 
equivalent) formulation of quotient as the derived operator (Vq || 'Pi) - ', where -1 
is a mirroring operation that first determinises its argument, then interchanges 
the input and output sets, as well as the T and _L states. 

Example. Figure [2] shows the parallel composition of the job scheduler with the 
printer controller. In the transition from 54 to Al, the guard combines the effects 
of the constraints on the clocks x and y. As finish is an output of the controller, 
it can be fired at a time when the scheduler is not expecting it, meaning that a 
safety error will occur. This is indicated by the transition to _L when the guard 
constraint 5 < x < 8 is not satisfied. 

3 Timed I/O Game 

Our specification theory can be understood from a game theoretical point of 
view. It is an input-output game between a component and an environment that 
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Scheduler 



Printer_cont roller 



Inv: x <= 100 
Co: true 



start! x,y:=0 



Inv: y<=1 
Co: true 



finish! 

5 <= x <= 8 

and y<=5 



y==1 
print! 
y:=0 



not (5 <= x <= 8) 
and y<=5 



finish! 



printed? y:=0 



Inv: true 
Co: y<=10 



Inv: y<=5 
Co: true 



Fig. 2. Parallel composition of the job scheduler and printer controller. 

uses a coin to break ties. The specification of a component (in the form of a TIOA 
or TIOTS) is built to encode the set of strategies possible for the component in 
the game (just like an NFA encodes a set of words). 

— Given two TIOTSs V and Q with identical alphabets, we say V is a partial 
unfolding [B] of Q if there exists a function / from Sp to Sq s.t. 1) / maps 
T to T, _L to _L, and plain states to plain states, 2) f(s!p) = Sq, and 3) 
p 4 P s^>f{p) A Q /(s). 

— We say an acyclic TIOTS is a tree if 1) there does not exist a pair of tran- 
sitions in the form of p A- p" and p' 4 p", 2) p A p" hp' —± p" implies 
p = p' and a = b and 3) p — > p" A p' — > p" implies p = p' . 

— We say an acyclic TIOTS is a simple path if 1) p A- s' A p -A s" implies 

s' = s" and a — a and 2)f)As'ApAs" implies s' = s". 

— We say a simple path £ is a run of T 3 if C is a partial unfolding of V . 

Strategies. A strategy Q is a deterministic tree TIOTS s.t. each plain state in Q is 
ready to accept all possible inputs by the environment, but allows a single move 
(delay or output) by the component, i.e. ebg(p) = /U mvg(p) s.t. mvg(p) = {a} 
for some a £ O or {} C mvg(p) C E >0 , where ebg(p) denotes the set of enabled 
timed actions in state p of LTS Q, and mvg(p) denotes the unique component 
move allowed by Q at p. 

A TIOTS V contains a strategy Q if Q is a partial unfolding of (V ± ) T . The 
set of strategie^] contained in is denoted stg(V). Since it makes little sense to 
distinguish strategies that are isomorphic, we will freely use strategies to refer 
to their isomorphism classes and write Q = Q' to mean Q and Q' are isomorphic. 

Let us give some examples in Figure [3j For the sake of simplicity we use two 
untimed transition systems V and Q, which have identical alphabets / = {e,/} 
and = {a, b, c}, to illustrate the idea of strategies. The transition systems use 
solid lines while strategies use dotted lines. Plain states are unmarked while the 
T and _L states are marked by T and _L respj^jWe show four strategies of V and 

4 In this paper we use a set of strategies (say 77) to mean a set of strategies with 
identical alphabets 

5 To simplify drawing, multiple copies of T and _L are allowed but the self-loops on 
them are omitted. 
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(A) (B) 



Fig. 3. Strategy example. 

two strategies of Q on the right hand side of V and Q resp. in Figure [3j (They 
are not the complete sets of strategies for V and Q.) Note that the strategies 3 
and 4 own their existence to the T completion. 



Comparing strategies. When the game is played, the component tries to avoid 
reaching T while the environment tries to avoid reaching _L. Different strategies 
in stg(V) vary in their effectiveness to achieve the objective. Such effectiveness 
can be compared if two strategies closely resemble each other: we say Q and Q' 
are affine if Sg =4- p and s%, =4- p' implies mvg(p) — mvgi(p'). Intuitively, it 
means Q and Q' propose the same move at the 'same' states. For instance, the 
strategies 1, 3 and A in Figure [3] are pairwise affine and so are the strategies 2, 
4 and B. 

Given two affine strategies Q and Q' , we say Q is more aggressive than Q' ', 
denoted Q < Q', if 1) Sg, =4- _L implies there is a prefix tto of tt s.t. Sg _L and 

2) Sg =i- T implies there is a prefix tt of it s.t. Sg, =S> T. Intuitively, it means Q 
can reach _L faster but T slower than Q' . -< forms a partial order over stg(V), or 
more generally, over any set of strategies with identical alphabets. For instance, 
strategy A is more aggressive than 1 and 3, while strategy B is more aggressive 
than 2 and 4. 

When the game is played, the component V prefers to use the maximally 
aggressive strategies in s£g("P^j Thus two components that differ only in non- 
maximally aggressive strategies should be equated. We define the strategy se- 
mantics of component V to be [V] s = {Q 1 \ 3Q € stg(V) : Q -< G'}, i.e. the 
upward-closure of stg(V) w.r.t. X. 

Game rules. When a component strategy Q is played against an environment 
strategy Q' , at each game state (i.e. a product state pg X pg>) Q and Q' each 
propose a move (i.e. mvg(pg) and mvgi(pg>)). If one of them is a delay and 
the other is an action, the action will prevail. If both propose delay moves (i.e. 
mvg(pg), mvg>(pg>) C K-°), the smaller one (w.r.t. set containment) will prevail. 



This is because our semantics is designed to preserve _L rather than T. 



Revisiting Timed Specification Theories: A Linear-Time Perspective 11 

Since a delay move proposed at a strategy state is the maximal set of possible 
delays enabled at that state, the next move proposed at the new state after firing 
the set must be an action move (due to time additivity). Thus a play cannot 
have two consecutive delay moves. 

If, however, both propose action moves, there will be a tie, which will be 
resolved by tossing the coin. For uniformity's sake, the coin can be treated as a 
special component. A strategy of the coin is a function h from tA* to {0, 1}. We 
denote the set of all possible coin strategies as H . 

A play of the game can be formalised as a composition of three strategies, 
one each from the component, environment and coin, denoted Qp \\ h Qq. At a 
current game state p-p x pq, if the prevailing action is a and we have p-p sL 
and pq s'q, then the next game state is sp \\ sq. The play will stop when it 
reaches either T or _L. The composition will produce a simple path C that is a 
run of V || Q. Since V || Q gives rise to a closed system (i.e. the input alphabet 
is empty), a run of V || Q is a strategy of V || Q. 

This is crucial since it reveals that strategy composition of V and Q is 
closely related to their parallel composition: stg(V \\ Q) = {Q-p \\ h Qq \ Qp E 
stg(V),Q Q € stg(Q) and h e H}. 

Parallel composition. Strategy composition, like component (parallel) composi- 
tion, can be generalised to any pair of components V and Q with composable 
alphabets. That is, Op n Oq — {}. For such V and Q, Q-p \ h Qq gives rise to a 
tree rather than simple path TIOTS. That is, at each game state Pp> x Pq, besides 
firing the prevailing a € tO-pUtOQ, we need also to fire 1) all the synchronised in- 
puts, i.e. e G IpdlQ, and reach the new game state s-p \\ sq (assuming pp A- sp 
and pq A sq) and 2) all the independent inputs, i.e. e 6 (l-p U Iq) \ (A-p n Aq), 
and reach the new game state s-p x pq or p-p x sq. It is easy to verify that 
Gv II/, Qq is a strategy of V || Q. 

Conjunction/disjunction. Besides strategy composition, strategy conjunction (&) 
and strategy disjunction (+) are also definable. They are binary operators defined 
only on pairs of affine strategies. We define QSzQ' = Q l\Q' and Q + Q' = Q V Q' . 
Note that if Q and Q' are not affine, Q AQ' and QVQ' do not necessarily produce 
a strategy. For instance the disjunction of the strategies 1 and 2 in Figure [3] will 
produce a transition system that stops to output after the a transition. 

Refinement. Strategy semantics induce an equivalence on TIOTSs. That is, V 
and Q are strategy equivalent iff [P] s = [Q] s - However, strategy equivalence is 
too fine for the purpose of substitutive refinement (cf Definition |5|. For instance, 
transition systems V and Q in Figure [3] are substitutively equivalent, but are not 
strategy equivalent, because 1, 2, 3 and 4 are strategies of Q (due to upward- 
closure w.r.t. ^), but A and B are not strategies of V. 

However, we demonstrate that substitutive equivalence is reducible to strategy 
equivalence providing we perform disjunction closure on strategies. 
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Lemma 1. Given a pair of affine component strategies Qq and Gi, Go |L Q and 
Gi \\ h G are .L-free for some environment strategy Q and h 6 77 iff Q a + Qi \\ h G 
is L-free. 

We say 77 + is a disjunction closure of 77 iff it is the least superset of 77 s.t. 
G + G' € 77+ for all pairs of affine strategies Q,Q' € 77+. It is easy to see the 
disjunction closure operation preserves the upward-closedness of strategy sets. 

Theorem 1. Given TIOTSs V and Q, V E Q iff [Q]f C [P]+ . 

For instance, the disjunction of strategies 1 and 3 produces A, while the 
disjunction of strategies 2 and 4 produces B. Thus [P]f = [Q]f, 



Relating operational composition to strategies. The operations of parallel compo- 
sition, conjunction and disjunction defined on the operational models of TIOTSs 
(Section 2.4 ) can be characterised by simple operations on strategies in the game- 
based setting. 

Lemma 2. For \\-composable TIOTSs V and Q, [V \\ Q]+ = {Gv\\Q I 3Qv G 

[V]f,G Q e[Q]f,heH :g v \\ h g Q ^g nQ }. 

Lemma 3. For V '-compos able TIOTSs V and Q, [V V Q}+ = ([P]f U [Q] + ) + . 
Lemma 4. For h-composable TIOTSs V and Q, [V A Q]+ = n [Q} + . 
Lemma 5. For %-composable TIOTSs V and Q, [V%Q]f = {Gv%Q I VGq € 

[Q]t,heH:g v%Q \\ h g Q e[P}+}. 

Thus conjunction and disjunction are the join and meet operations and quo- 
tient produces the coarsest TIOTS s.t. (T^o ^oT^i ) 1 1 T^x is a refinement of V . 

Lemma 6. For any TIOTS V, [P^]+ = {Q v ^ | VOp € [7*]+, 6 B : Op- || h 
(?-p is _L-/ree}. 

Theorem 2. ~ is a congruence w.r.t. ||, V, A and % subject to composability. 



Summary. Strategy semantics has given us a weakest _L-preserving congruence 
(i.e. [T 3 ]^) for timed specification theories based on operators for (parallel) com- 
position, conjunction, disjunction and quotient. Strategy semantics captures 
nicely the game-theoretical nature as well as the operational intuition of the 
specification theories. However, in a more declarative manner, the equivalence 
can also be characterised by timed traces, as we see in the next section. 



4 Declarative Specification Theory 

In this section, we develop a compositional specification theory based on timed 
traces. We introduce the concept of a timed-trace structure, which is an abstract 
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representation for a timed component. The timed-trace structure contains essen- 
tial information about the component, for checking whether it can be substituted 
with another in a safety and liveness preserving manner. 

Given any TIOTS V = (I, O, S, s°,— >), we can extract three sets of traces 
from (T 1 ^) 1 : TP (plain traces) is a set of timed traces leading to plain states, 
TE (error traces) a set of timed traces leading to _L and TM (magic traces) a set 
of timed traces leading to T. The three sets contain sufficient but not necessary 
information for our substitutive refinement, which is designed to preserve _L 
rather than T. For instance, adding any trace tt G TE to TP should not change 
the semantics of the component; similarly it is true for removing any trace tt G 
TP from TM. Based on a slight abstraction of the three sets we can define a 
triple-trace structure as the semantics of V . 

Definition 6 (Triple-trace structure). TT{V) := (I, 0, TT, TR, TE), where 
TT := TE U TP U TM is the set of all traces and TR := TE U TP the set of 
realisable traces. 

Obviously, TE is extension-closed. TT is non-empty and prefix-closed. TR 
is prefix-closed and fully branching™ . r.t. TT (i.e. tt^(a) G TT for all tt G TR 
and a G tA). TT \ TR is time-extension closed (i.e. tt G X tt ~ (d) G X) 
and any pair of traces from TT \ TR that are related by extension are related 
by time-extension. 

From hereon let P and V\ be two TlOTSs with triple trace structures 
TT(Vi) := (I„ O h TT,, TR,, TE,) for i G {0, 1}. Define i = l-i. 

The substitutive refinement relation C in Section [2.4| can equally be charac- 
terised by means of trace containment. Consequently, TT(Vo) can be regarded 
as providing an alternative encoding of the set [Po]f of strategies. 

Theorem 3. V E "Pi iff TT X C TT , TR X C TR and TE X C TE . 

We are now ready to define the timed-trace structure semantics for the op- 
erators of our specification theory. Intuitively, the timed-trace semantics mimic 
the synchronised product of the operational definitions in Section |2.4| An im- 
portant fact utilised in formulating these operations on traces is that for any 
trace tt E tA* and TIOTS V , either tt is a trace of V or there is some prefix tto 
of tt s.t. tto is an error or magic trace of V . 

Parallel composition. The idea behind parallel composition is that the projection 
of any trace in the composition onto the alphabet of one of the components 
should be a trace of that component. 

Proposition 2. If To andV\ are \\-composable, thenTT(Vo \\ V\) = (I, O, TT, 

TR, TE) where I — (Iq U h) \ O, = OqU 0\ and the trace sets are given by: 

- TE = {tt | tt \ tA, e TE, A tt \ tA-, G TR-,} ■ tA* 

- TR = TE W {tt | tt \ tA, e(TR, \ TE,) A tt \ tAj G ( TRj \ TE-)} 



7 This is due to T/_L-completion. 
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- TT = TRW {tt | tt \ tAi £ (TTi\ TRi) A tto < tt \ tAj =*> tt e (TRj\ 
TEj)} ■ R-°. 

The above says tt is an error trace if the projection of tt on one component is 
an error trace while the projection of tt on the other component is not a magic 
trace, tt is a realisable trace if tt is either an error trace or a plain trace, tt is a 
plain trace if the projection of tt on both components are plain traces. Finally, 
tt is a magic trace if its projection on one component is a magic trace, while the 
projection of all strict prefixes of tt on the other component is a plain trace. 

Disjunction. From any composite state in the disjunction of two components, 
the composition should only be willing to accept inputs that are accepted by 
both components, but should accept the union of outputs. After witnessing an 
output enabled by only one of the components, the disjunction should behave like 
that component. Because of the way that _L and T work in Table [I] this loosely 
corresponds to taking the union of the traces from the respective components. 

Proposition 3. IfVo andVi areV -composable, thenTT(Vo V Vx ) = (I, O, TRqU 
TR X U TM, TR Q U TRx, TE U TE t ), where I = I = h, O = O = Ox and 
TM = {tt | tt G {TT, \ TRi) A 3 tto < tt : tto € {TTj \ TRj)} ■ . 

Essentially, tt is a magic trace if it is a magic trace on one component while 
one of its prefixes is a magic trace on the other component. The realisable and 
error traces are simply the union of the corresponding traces on Vq and Vx ■ 

Conjunction. Similarly to disjunction, from any composite state in the con- 
junction of two components, the composition should only be willing to accept 
outputs that are accepted by both components, and should accept the union of 
inputs, until a stage when one of the component's input assumptions has been 
violated, after which it should behave like the other component. Because of the 
way that both _L and T work in Table [T] this essentially corresponds to taking 
the intersection of the traces from the respective components. 

Proposition 4. IfVo and Vx are A-composable, then TT("Po A Vx) = (I, 0, ( TRqPi 
TRx) U TM, TRq n TRx, TE n TE X ), where I = I = h, = O = Ox and 
TM = {tt | tt G (TT, \ TRi) A Uq < tt tt € TR Z } ■ . 

A trace tt is a magic trace if it is a magic trace on one of the components, 
and all strict prefixes of the trace are realisable by the other component. The 
realisable and error traces are simply the intersection of the corresponding traces 
on Vo and Vx- 

Quotient. Quotient ensures its composition with the second component is a 
refinement of the first. Given the synchronised running of Vq and Vx, if Vq is in 
a more refined state than Vx, the quotient will try to rescue the refinement by 
taking T as its state (so that its composition with Vx's state will refine Vq's). If 
Vq is in a less or equally refined state than Pi's, the quotient will take the worst 
possible state without breaking the refinement. 
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Proposition 5. IfV dominates Vi, then TT(Vq%Px) = (I, 0, TT, TR, TE), 
where I = Iq U 0\, = 0q \ 0\, and the trace sets satisfy: 

- TE = {tt | (tt e TE a tt < tt => tt f tAi £ TE X ) V (tt \ tA x e (TT r \ 
TRi) A tt <tt=> tt Q £ TTq \ TRq)} ■ tA* 

- TR = TE W {tt | tt e (TRo \ TE ) A tt \ tA x e ( TR\ \ TEi)} 

- TT = TR\& {tt | {tt e (TT a \ TR ) A tto < tt tt \ tA x e TR X ) V (tt \ 
tA x £ TEi A tt <tt^tto<£ TE )}. 

The above says tt is an error trace if either 1) tt is an error trace in Vq, but 
the projection of any strict prefix of tt on V\ is not an error trace, or 2) the 
projection of tt on V\ is a magic trace, but no strict prefix of tt is a magic trace 
in Vq. tt is a magic trace if either 1) tt is a magic trace in Vq, but the projection 
of any prefix of tt is not a magic trace in V\ , or 2) the projection of tt on V\ is 
an error trace, but no prefix of tt is an error trace in Vq. 

Mirroring of triple trace structures is straightforward: TT(Vo)~^ — (Oq,Io, 
TTq, TTq \ TEq, TTq \ TR ). This is because dealing with traces means we have 
implicit determinism, so we can skip the determinisation step. Consequently, 
quotient can also be defined as the derived operator (TT(Vq)~" || TT(V\))^. 

5 Comparison with Related Works 

Based on linear-time, our timed theory owes much to the pioneering work of 
trace theories in asynchronous circuit verification, such as Dill's trace theory 
[7]. Our mirror operator is essentially a timed extension of the mirror operator 
from asynchronous circuit verification. The definition of quotient based on mir- 
roring (for the untimed case) was first presented by Verhoeff as his Factorisation 
Theorem 0. 

Our work is also deeply influenced by the work of [5] on timed games, with 
some modifications. Firstly, a TIOTS is regarded as a set of component strate- 
gies, rather than a timed game graph. We adopt most of the game rules in [51, ex- 
cept that, due to our requirement that proposed delay moves are maximal delays 
allowed by a strategy, a play cannot have consecutive delay moves. This enables 
us to avoid the complexity of time-blocking strategies and blame assignment, but 
does not ensure non-Zenones^] Secondly, we do not use timestop/semi-timestop 
to model time errors (i.e. bounded-liveness errors). Rather, we introduce the ex- 
plicit inconsistent state _L to model both time and immediate (i.e. safety) errors. 
Time-stop is used to model the magic state, which can simplify the definition 
of parallel, conjunction and quotient and enables us to avoid the complexity of 
having two transition relations and well-formedness of timed interfaces. 

Last but not least, our work is related to [3], as both devise a complete 
timed specification theory. The major differences lie in the use of timed alter- 
nating simulation as refinement in [4], while ours is linear-time. An advantage of 

8 Zeno behaviours (infinite action moves within finite time) in a play are not regarded 
as abnormal behaviours in our semantics. 
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our work is that refinement is the weakest congruence preserving inconsistency, 
while beneficial in [1] is the algorithmic efficiency of branching-time simulation 
checking. Moreover, [¥| has fully implemented the timed-game algorithms. 

We briefly mention other related works, which include timed modal transition 
systems [9 lOj, the timed I/O model [3] and embedded systems [11112] . 

6 Conclusions 

We have formulated a rich compositional specification theory for components 
with real-time constraints based on a linear-time notion of substitutive refine- 
ment. The operators of hiding and renaming can also be defined, according to our 
past experiences [13] . We believe that our theory can be reformulated as a timed 
extension of Dill's trace theory [7] . Future work will include an investigation of 
realisability and assume-guarantee reasoning. 

Acknowledgments. The authors are supported by EU FP7 project CONNECT 
and ERC Advanced Grant VERIWARE. 



References 

1. Chen, T., Chilton, C, Jonsson, B., Kwiatkowska, M.: A Compositional Specifica- 
tion Theory for Component Behaviours. In Seidl, H., ed.: Programming Languages 
and Systems, Proc. 21st European Symposium on Programming (ESOP'12). Vol- 
ume 7211 of Lecture Notes in Computer Science., Springer- Verlag (2012) 148-168 

2. de Alfaro, L., Henzinger, T.A.: Interface automata. SIGSOFT Softw. Eng. Notes 
26 (2001) 109-120 

3. Kaynar, D.K., Lynch, N.A., Segala, R., Vaandrager, F.W.: Timed i/o automata: A 
mathematical framework for modeling and analyzing real-time systems. In: RTSS. 
(2003) 

4. David, A., Larsen, K.G., Legay, A., Nyman, U., Wasowski, A.: Timed I/O au- 
tomata: a complete specification theory for real-time systems. In: Proc. 13th ACM 
International Conference on Hybrid systems: computation and control. HSCC '10, 
ACM (2010) 91-100 

5. de Alfaro, L., Henzinger, T.A., Stoelinga, M.: Timed interfaces. In Sangiovanni- 
Vincentelli, A., Sifakis, J., eds.: Embedded Software. Volume 2491 of LNCS. 
Springer- Verlag (2002) 108-122 

6. Wang, X.: Maximal Confluent Processes. In: Proc. of PETRI NETS 2012. Volume 
7347 of Lecture Notes in Computer Science., Springer- Verlag (2012) 

7. Dill, D.L.: Trace theory for automatic hierarchical verification of speed- 
independent circuits. ACM distinguished dissertations. MIT Press (1989) 

8. Verhoeff, T.: A Theory of Delay-Insensitive Systems. PhD thesis, Dept. of Math, 
and OS., Eindhoven Univ. of Technology (1994) 

9. Bertrand, N., Pinchinat, S., Raclet, J.B.: Refinement and consistency of timed 
modal specifications. In: LATA. (2009) 152-163 

10. Cerans, K., Godskesen, J.C., Larsen, K.G.: Timed modal specification - theory 
and tools. In: CAV. (1993) 253-267 



Revisiting Timed Specification Theories: A Linear-Time Perspective 



17 



11. Thiele, L., Wandeler, E., Stoimenov, N.: Real-time interfaces for composing real- 
time systems. In: EMSOFT. (2006) 

12. I. Lee, J.Y.T.L., Song, S.: Handbook of Real-Time and Embedded Systems. Chap- 
man (2007) 

13. Wang, X., Kwiatkowska, M.Z.: On process-algebraic verification of asynchronous 
circuits. Fundam. Inform. 80 (2007) 283-310 



